netfilter: nf_tables: expose opaque set element as struct nft_elem_priv

	unsigned char		data[];

};

/* placeholder structure for opaque set element backend representation. */

struct nft_elem_priv { };

/**

 *	struct nft_set_elem - generic representation of set elements

 *

		u32		buf[NFT_DATA_VALUE_MAXLEN / sizeof(u32)];

		struct nft_data val;

	} data;

	void			*priv;

	struct nft_elem_priv	*priv;

};

static inline void *nft_elem_priv_cast(const struct nft_elem_priv *priv)

{

	return (void *)priv;

}

struct nft_set;

struct nft_set_iter {

	u8		genmask;

						  const struct nft_set_ext **ext);

	bool				(*update)(struct nft_set *set,

						  const u32 *key,

						  void *(*new)(struct nft_set *,

						  struct nft_elem_priv *

							(*new)(struct nft_set *,

							       const struct nft_expr *,

							       struct nft_regs *),

						  const struct nft_expr *expr,

	void				(*activate)(const struct net *net,

						    const struct nft_set *set,

						    const struct nft_set_elem *elem);

	void *				(*deactivate)(const struct net *net,

	struct nft_elem_priv *		(*deactivate)(const struct net *net,

						      const struct nft_set *set,

						      const struct nft_set_elem *elem);

	void				(*flush)(const struct net *net,

						 const struct nft_set *set,

						 void *priv);

						 struct nft_elem_priv *priv);

	void				(*remove)(const struct net *net,

						  const struct nft_set *set,

						  const struct nft_set_elem *elem);

	void				(*walk)(const struct nft_ctx *ctx,

						struct nft_set *set,

						struct nft_set_iter *iter);

	void *				(*get)(const struct net *net,

	struct nft_elem_priv *		(*get)(const struct net *net,

					       const struct nft_set *set,

					       const struct nft_set_elem *elem,

					       unsigned int flags);

}

static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set,

						   void *elem)

						   const struct nft_elem_priv *elem_priv)

{

	return elem + set->ops->elemsize;

	return (void *)elem_priv + set->ops->elemsize;

}

static inline struct nft_object **nft_set_ext_obj(const struct nft_set_ext *ext)

					 const struct nft_set *set,

					 const struct nlattr *attr);

void *nft_set_elem_init(const struct nft_set *set,

struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,

					const struct nft_set_ext_tmpl *tmpl,

			const u32 *key, const u32 *key_end, const u32 *data,

					const u32 *key, const u32 *key_end,

					const u32 *data,

					u64 timeout, u64 expiration, gfp_t gfp);

int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,

			    struct nft_expr *expr_array[]);

void nft_set_elem_destroy(const struct nft_set *set, void *elem,

void nft_set_elem_destroy(const struct nft_set *set,

			  const struct nft_elem_priv *elem_priv,

			  bool destroy_expr);

void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,

				const struct nft_set *set, void *elem);

				const struct nft_set *set,

				const struct nft_elem_priv *elem_priv);

struct nft_expr_ops;

/**

struct nft_set_elem_catchall {

	struct list_head	list;

	struct rcu_head		rcu;

	void			*elem;

	struct nft_elem_priv	*elem;

};

static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,

	return 0;

}

void *nft_set_elem_init(const struct nft_set *set,

struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,

					const struct nft_set_ext_tmpl *tmpl,

					const u32 *key, const u32 *key_end,

			const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)

					const u32 *data,

					u64 timeout, u64 expiration, gfp_t gfp)

{

	struct nft_set_ext *ext;

	void *elem;

}

/* Drop references and destroy. Called from gc, dynset and abort path. */

void nft_set_elem_destroy(const struct nft_set *set, void *elem,

void nft_set_elem_destroy(const struct nft_set *set,

			  const struct nft_elem_priv *elem_priv,

			  bool destroy_expr)

{

	struct nft_set_ext *ext = nft_set_elem_ext(set, elem);

	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);

	struct nft_ctx ctx = {

		.net	= read_pnet(&set->net),

		.family	= set->table->family,

		nft_data_release(nft_set_ext_data(ext), set->dtype);

	if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))

		nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));

	if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))

		nft_use_dec(&(*nft_set_ext_obj(ext))->use);

	kfree(elem);

	kfree(elem_priv);

}

EXPORT_SYMBOL_GPL(nft_set_elem_destroy);

 * path via nft_setelem_data_deactivate().

 */

void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,

				const struct nft_set *set, void *elem)

				const struct nft_set *set,

				const struct nft_elem_priv *elem_priv)

{

	struct nft_set_ext *ext = nft_set_elem_ext(set, elem);

	struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);

	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))

		nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));

	kfree(elem);

	kfree(elem_priv);

}

int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,

	return 0;

}

static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,

static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,

					    const struct nft_expr *expr,

					    struct nft_regs *regs)

{

	const struct nft_dynset *priv = nft_expr_priv(expr);

	struct nft_set_ext *ext;

	void *elem_priv;

	u64 timeout;

	void *elem;

	if (!atomic_add_unless(&set->nelems, 1, set->size))

		return NULL;

	timeout = priv->timeout ? : set->timeout;

	elem = nft_set_elem_init(set, &priv->tmpl,

	elem_priv = nft_set_elem_init(set, &priv->tmpl,

				      &regs->data[priv->sreg_key], NULL,

				      &regs->data[priv->sreg_data],

				      timeout, 0, GFP_ATOMIC);

	if (IS_ERR(elem))

	if (IS_ERR(elem_priv))

		goto err1;

	ext = nft_set_elem_ext(set, elem);

	ext = nft_set_elem_ext(set, elem_priv);

	if (priv->num_exprs && nft_dynset_expr_setup(priv, ext) < 0)

		goto err2;

	return elem;

	return elem_priv;

err2:

	nft_set_elem_destroy(set, elem, false);

	nft_set_elem_destroy(set, elem_priv, false);

err1:

	if (set->size)

		atomic_dec(&set->nelems);

#include <net/netfilter/nf_tables_core.h>

struct nft_bitmap_elem {

	struct nft_elem_priv	priv;

	struct list_head	head;

	struct nft_set_ext	ext;

};

	return NULL;

}

static void *nft_bitmap_get(const struct net *net, const struct nft_set *set,

static struct nft_elem_priv *

nft_bitmap_get(const struct net *net, const struct nft_set *set,

	       const struct nft_set_elem *elem, unsigned int flags)

{

	const struct nft_bitmap *priv = nft_set_priv(set);

		    !nft_set_elem_active(&be->ext, genmask))

			continue;

		return be;

		return &be->priv;

	}

	return ERR_PTR(-ENOENT);

}

			     const struct nft_set_elem *elem,

			     struct nft_set_ext **ext)

{

	struct nft_bitmap_elem *new = nft_elem_priv_cast(elem->priv), *be;

	struct nft_bitmap *priv = nft_set_priv(set);

	struct nft_bitmap_elem *new = elem->priv, *be;

	u8 genmask = nft_genmask_next(net);

	u32 idx, off;

			      const struct nft_set *set,

			      const struct nft_set_elem *elem)

{

	struct nft_bitmap_elem *be = nft_elem_priv_cast(elem->priv);

	struct nft_bitmap *priv = nft_set_priv(set);

	struct nft_bitmap_elem *be = elem->priv;

	u8 genmask = nft_genmask_next(net);

	u32 idx, off;

				const struct nft_set *set,

				const struct nft_set_elem *elem)

{

	struct nft_bitmap_elem *be = nft_elem_priv_cast(elem->priv);

	struct nft_bitmap *priv = nft_set_priv(set);

	struct nft_bitmap_elem *be = elem->priv;

	u8 genmask = nft_genmask_next(net);

	u32 idx, off;

}

static void nft_bitmap_flush(const struct net *net,

			     const struct nft_set *set, void *_be)

			     const struct nft_set *set,

			     struct nft_elem_priv *elem_priv)

{

	struct nft_bitmap_elem *be = nft_elem_priv_cast(elem_priv);

	struct nft_bitmap *priv = nft_set_priv(set);

	u8 genmask = nft_genmask_next(net);

	struct nft_bitmap_elem *be = _be;

	u32 idx, off;

	nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off);

	nft_set_elem_change_active(net, set, &be->ext);

}

static void *nft_bitmap_deactivate(const struct net *net,

				   const struct nft_set *set,

static struct nft_elem_priv *

nft_bitmap_deactivate(const struct net *net, const struct nft_set *set,

		      const struct nft_set_elem *elem)

{

	struct nft_bitmap_elem *this = nft_elem_priv_cast(elem->priv), *be;

	struct nft_bitmap *priv = nft_set_priv(set);

	struct nft_bitmap_elem *this = elem->priv, *be;

	u8 genmask = nft_genmask_next(net);

	u32 idx, off;

	priv->bitmap[idx] &= ~(genmask << off);

	nft_set_elem_change_active(net, set, &be->ext);

	return be;

	return &be->priv;

}

static void nft_bitmap_walk(const struct nft_ctx *ctx,

		if (!nft_set_elem_active(&be->ext, iter->genmask))

			goto cont;

		elem.priv = be;

		elem.priv = &be->priv;

		iter->err = iter->fn(ctx, set, iter, &elem);

{

	struct nft_bitmap *priv = nft_set_priv(set);

	BUILD_BUG_ON(offsetof(struct nft_bitmap_elem, priv) != 0);

	INIT_LIST_HEAD(&priv->list);

	priv->bitmap_size = nft_bitmap_size(set->klen);

	struct nft_bitmap_elem *be, *n;

	list_for_each_entry_safe(be, n, &priv->list, head)

		nf_tables_set_elem_destroy(ctx, set, be);

		nf_tables_set_elem_destroy(ctx, set, &be->priv);

}

static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features,

};

struct nft_rhash_elem {

	struct nft_elem_priv		priv;

	struct rhash_head		node;

	struct nft_set_ext		ext;

};

	return !!he;

}

static void *nft_rhash_get(const struct net *net, const struct nft_set *set,

static struct nft_elem_priv *

nft_rhash_get(const struct net *net, const struct nft_set *set,

	      const struct nft_set_elem *elem, unsigned int flags)

{

	struct nft_rhash *priv = nft_set_priv(set);

	he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params);

	if (he != NULL)

		return he;

		return &he->priv;

	return ERR_PTR(-ENOENT);

}

static bool nft_rhash_update(struct nft_set *set, const u32 *key,

			     void *(*new)(struct nft_set *,

			     struct nft_elem_priv *

				   (*new)(struct nft_set *,

					  const struct nft_expr *,

					  struct nft_regs *regs),

			     const struct nft_expr *expr,

{

	struct nft_rhash *priv = nft_set_priv(set);

	struct nft_rhash_elem *he, *prev;

	struct nft_elem_priv *elem_priv;

	struct nft_rhash_cmp_arg arg = {

		.genmask = NFT_GENMASK_ANY,

		.set	 = set,

	if (he != NULL)

		goto out;

	he = new(set, expr, regs);

	if (he == NULL)

	elem_priv = new(set, expr, regs);

	if (!elem_priv)

		goto err1;

	he = nft_elem_priv_cast(elem_priv);

	prev = rhashtable_lookup_get_insert_key(&priv->ht, &arg, &he->node,

						nft_rhash_params);

	if (IS_ERR(prev))

	/* Another cpu may race to insert the element with the same key */

	if (prev) {

		nft_set_elem_destroy(set, he, true);

		nft_set_elem_destroy(set, &he->priv, true);

		atomic_dec(&set->nelems);

		he = prev;

	}

	return true;

err2:

	nft_set_elem_destroy(set, he, true);

	nft_set_elem_destroy(set, &he->priv, true);

	atomic_dec(&set->nelems);

err1:

	return false;

			    const struct nft_set_elem *elem,

			    struct nft_set_ext **ext)

{

	struct nft_rhash_elem *he = nft_elem_priv_cast(elem->priv);

	struct nft_rhash *priv = nft_set_priv(set);

	struct nft_rhash_elem *he = elem->priv;

	struct nft_rhash_cmp_arg arg = {

		.genmask = nft_genmask_next(net),

		.set	 = set,

static void nft_rhash_activate(const struct net *net, const struct nft_set *set,

			       const struct nft_set_elem *elem)

{

	struct nft_rhash_elem *he = elem->priv;

	struct nft_rhash_elem *he = nft_elem_priv_cast(elem->priv);

	nft_set_elem_change_active(net, set, &he->ext);

}

static void nft_rhash_flush(const struct net *net,

			    const struct nft_set *set, void *priv)

			    const struct nft_set *set,

			    struct nft_elem_priv *elem_priv)

{

	struct nft_rhash_elem *he = priv;

	struct nft_rhash_elem *he = nft_elem_priv_cast(elem_priv);

	nft_set_elem_change_active(net, set, &he->ext);

}

static void *nft_rhash_deactivate(const struct net *net,

				  const struct nft_set *set,

static struct nft_elem_priv *

nft_rhash_deactivate(const struct net *net, const struct nft_set *set,

		     const struct nft_set_elem *elem)

{

	struct nft_rhash *priv = nft_set_priv(set);

	rcu_read_unlock();

	return he;

	return &he->priv;

}

static void nft_rhash_remove(const struct net *net,

			     const struct nft_set *set,

			     const struct nft_set_elem *elem)

{

	struct nft_rhash_elem *he = nft_elem_priv_cast(elem->priv);

	struct nft_rhash *priv = nft_set_priv(set);

	struct nft_rhash_elem *he = elem->priv;

	rhashtable_remove_fast(&priv->ht, &he->node, nft_rhash_params);

}

		if (!nft_set_elem_active(&he->ext, iter->genmask))

			goto cont;

		elem.priv = he;

		elem.priv = &he->priv;

		iter->err = iter->fn(ctx, set, iter, &elem);

		if (iter->err < 0)

	struct rhashtable_params params = nft_rhash_params;

	int err;

	BUILD_BUG_ON(offsetof(struct nft_rhash_elem, priv) != 0);

	params.nelem_hint = desc->size ?: NFT_RHASH_ELEMENT_HINT;

	params.key_len	  = set->klen;

static void nft_rhash_elem_destroy(void *ptr, void *arg)

{

	struct nft_rhash_ctx *rhash_ctx = arg;

	struct nft_rhash_elem *he = ptr;

	nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, ptr);

	nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, &he->priv);

}

static void nft_rhash_destroy(const struct nft_ctx *ctx,

};

struct nft_hash_elem {

	struct nft_elem_priv		priv;

	struct hlist_node		node;

	struct nft_set_ext		ext;

};

	return false;

}

static void *nft_hash_get(const struct net *net, const struct nft_set *set,

static struct nft_elem_priv *

nft_hash_get(const struct net *net, const struct nft_set *set,

	     const struct nft_set_elem *elem, unsigned int flags)

{

	struct nft_hash *priv = nft_set_priv(set);

	hlist_for_each_entry_rcu(he, &priv->table[hash], node) {

		if (!memcmp(nft_set_ext_key(&he->ext), elem->key.val.data, set->klen) &&

		    nft_set_elem_active(&he->ext, genmask))

			return he;

			return &he->priv;

	}

	return ERR_PTR(-ENOENT);

}

			   const struct nft_set_elem *elem,

			   struct nft_set_ext **ext)

{

	struct nft_hash_elem *this = elem->priv, *he;

	struct nft_hash_elem *this = nft_elem_priv_cast(elem->priv), *he;

	struct nft_hash *priv = nft_set_priv(set);

	u8 genmask = nft_genmask_next(net);

	u32 hash;

static void nft_hash_activate(const struct net *net, const struct nft_set *set,

			      const struct nft_set_elem *elem)

{

	struct nft_hash_elem *he = elem->priv;

	struct nft_hash_elem *he = nft_elem_priv_cast(elem->priv);

	nft_set_elem_change_active(net, set, &he->ext);

}

static void nft_hash_flush(const struct net *net,

			   const struct nft_set *set, void *priv)

			   const struct nft_set *set,

			   struct nft_elem_priv *elem_priv)

{

	struct nft_hash_elem *he = priv;

	struct nft_hash_elem *he = nft_elem_priv_cast(elem_priv);

	nft_set_elem_change_active(net, set, &he->ext);

}

static void *nft_hash_deactivate(const struct net *net,

				 const struct nft_set *set,

static struct nft_elem_priv *

nft_hash_deactivate(const struct net *net, const struct nft_set *set,

		    const struct nft_set_elem *elem)

{

	struct nft_hash_elem *this = nft_elem_priv_cast(elem->priv), *he;

	struct nft_hash *priv = nft_set_priv(set);

	struct nft_hash_elem *this = elem->priv, *he;

	u8 genmask = nft_genmask_next(net);

	u32 hash;

			    set->klen) &&

		    nft_set_elem_active(&he->ext, genmask)) {

			nft_set_elem_change_active(net, set, &he->ext);

			return he;

			return &he->priv;

		}

	}

	return NULL;

			    const struct nft_set *set,

			    const struct nft_set_elem *elem)

{

	struct nft_hash_elem *he = elem->priv;

	struct nft_hash_elem *he = nft_elem_priv_cast(elem->priv);

	hlist_del_rcu(&he->node);

}

			if (!nft_set_elem_active(&he->ext, iter->genmask))

				goto cont;

			elem.priv = he;

			elem.priv = &he->priv;